Fraud detection based on call attempt velocity on terminating number

ABSTRACT

A method of identifying fraud in a telecommunications system, the method including receiving data related to a current call placed from an originating ANI to a terminating ANI, where the received data includes the terminating ANI and a billing number used to place the call. Billing numbers for prior calls to the terminating ANI, if any, and corresponding indicia of the times of the calls are retrieved. A determination is made of whether the number of billing numbers used for the current and prior calls to the terminating ANI over a prior period of time falling within a time interval satisfies a threshold. If the threshold is satisfied, a fraud alert is generated.

BACKGROUND OF THE INVENTION

1. Technological Field

The invention relates to preventing fraudulent access to atelecommunications system. In particular, the invention relates toidentifying fraudulent calls terminating at a particular telephonenumber (a “terminating automatic number indicator” or “terminatingANI”).

2. Description of the Related Art

Fraud costs the telecommunications industry billions of dollars peryear. There are many techniques used to perpetrate fraud. The fraud canbe as simple as using a stolen credit card to charge a long distancecall, or it can involve sophisticated looping techniques, such asrepeatedly calling a private PBX system, finding the correct sequence toaccess an outside line (by trial and error or other hacking techniques)and then placing a costly long distance call through the PBX system. Thetelecommunications industry is involved in an intensive and ongoingeffort to identify different types of fraud and then to develop andimplement ways of preventing such fraud.

Fraud is more costly to certain telecommunications companies thanothers. For example, where a fraudulent call is directed at a companythat owns the underlying telecommunications infrastructure, the cost ofthe call is less than the cost to an independent company that incursaccess charges to the owner(s) of the infrastructure supporting thecall, even if the call is fraudulent. In either case, however, the costto the industry is significant.

Particular methods of fraud control and systems for implementing themare known in the industry. Fraud control may be divided conceptuallyinto identifying a call that is likely to be fraudulent and respondingafter a call is identified as likely to be fraudulent. Methods ofidentifying calls that are likely to be fraudulent vary from the simpleto the sophisticated and are generally directed at a particular type offraudulent activity. For example, a call is likely to be fraudulent ifit is made using a calling card that has been reported stolen by theowner.

A more sophisticated method and system of identifying fraudulent callsis described in U.S. Pat. No. 5,768,354, entitled “Fraud Evaluation AndReporting System and Method Thereof”, which is owned by the assignee ofthe present invention. Fraudulent activity is identified in the '354patent by monitoring a billing detail record created for each call. Inthe simple case, where the company's database shows that the billingnumber being used for a call has been reported lost, stolen, etc., thebilling detail record includes a header designating it as a “bad billingnumber”; the call is then immediately identified as fraudulent and analert is generated in the system.

The '354 patent is directed to calls that require “special service”,that is, which are placed through an operator or an automatic operationsupport system. Such calls generally require the caller to manuallysupply the billing number, such as by pressing numbers on a payphone,swiping the magnetic strip on a card through a card reader or speakingwith an operator. It may also require the caller to identify thecategory of billing product (such as credit card, calling card, orpre-paid phone card) for the billing number. The category of the billingproduct may alternatively be identified by the system by matching all orpart of the billing number with billing numbers (or ranges of billingnumbers) stored in an identification database, where the stored billingnumbers are correlated with the category of billing product. Theidentification database may also correlate a billing number with theparticular type of billing product for the category. For example, wherethe category of the billing number is identified as a credit card, theidentification database may use the billing number to further identifythe type of credit card, such as Visa, Master Card, American Express,etc.

The '354 patent also identifies fraudulent activity by monitoring use ofa billing number over time. For example, where the number of domesticcalls placed within a certain amount of time using the same billingnumber exceeds a threshold, an alert is generated. International callsare similarly handled, however, the threshold may be adjusted so thatfewer calls within the time period generate an alert. In addition, thethreshold may be further adjusted for calls to countries where a highpercentage of fraudulent calls are directed. The thresholds may also bevaried by the billing product. For example, fraudulent activity may bedetermined to be more likely to occur on a calling card than on a thirdparty call; consequently, the threshold may be set lower for callingcard products.

Once a call initiates an alert that the call might be fraudulent,additional activity may be taken to further examine whether the billingnumber is being used fraudulently, or steps may be taken to preventfurther calls using the billing number. In the '354 patent, after analarm is generated, data for prior calls charged to the billing numberare sent to a fraud analyst, who analyzes that data and may determinewhether or not to deactivate the card. If the decision is to deactivatethe card, the '354 patent describes the analyst as setting a fraud flag.

While monitoring billing numbers and blocking those numbers displayingevidence of fraudulent usage is an important component of fraudprevention, no one technique in itself is sufficient to preventfraudulent access. Perpetrators of fraud (also referred to herein as“hackers”) are persistent and creative and are constantly developing newways of evading fraud prevention mechanisms. In addition, there is aready (and relatively inexpensive) supply of stolen billing numbersavailable to those who are so disposed to obtain and use them. Thus, thefraud detection and prevention techniques that focus on repeated use ofa single billing number may not be effective against hackers who have asupply of different billing numbers.

For example, a series of fraudulent calls may be made from a singleoriginating ANI over time. One prominent example of this type offraudulent activity is when an attempt is made to hack into a privatePBX in order to access information or to use the PBX to make asubsequent call. In the latter case, the call to the PBX may be a localor domestic call, which is less likely to attract attention, whereas thesubsequent call made from the PBX may be a costly international call. Ifsuch calls are made using different billing numbers, then the fraud willnot be prevented based on fraud prevention techniques that rely onrepeated use of a billing number.

One possible way of preventing this type of fraud would be to monitorthe activity of the originating ANI. A fraud alert may be generated if athreshold number of different billing numbers are used to place callswithin a certain time interval. The threshold and time interval may beset based on the type of originating ANI. For example, the number ofdifferent billing numbers used to place calls at a payphone over thecourse of an hour will likely be relatively high, since many differentpeople have access to such a phone. By contrast, the number of differentbilling numbers for calls placed from a private cellular phone wouldnormally be quite low. The fraud alert may be followed by blocking callsfrom the originating ANI, for example. Such a technique is described inU.S. patent application Ser. No. 09/575,469 [COS 99-046] entitled “FraudDetection Based On Call Attempt Velocity On Originating Number”, filedMay 22, 2000, and assigned to the assignee of the present application.

Under certain circumstances, however, a hacker may readily avoid theblocking of an originating ANI. For example, the hacker may have a bankof payphones available, and simply move on to the next payphone once theone he is using becomes blocked.

A hacker operating in such a manner, using different billing numbers aswell as moving from one phone (originating ANI) to another is oftenplacing calls to the same terminating ANI. The hacker will often betrying to access a private PBX which takes repeated calls in order toachieve the hacker's goal by trial and error. (The “goal” may bedetermining how to access a database serving the PBX or an outside lineof the PBX, so that a subsequent call may be placed through the PBX.)

Thus, it would be desirable to have a system and method for detectingand preventing fraud in a telecommunications system where repeated callsare being made to the same terminating ANI from different originatingANIs using different billing numbers.

SUMMARY OF THE INVENTION

It is an objective of the present invention to provide a method andsystem for detecting fraudulent calls directed at a terminating ANI. Itis also an objective to detect such calls where the fraudulent calls arebeing made from different originating ANIs and using different billingnumbers. It is also an objective of the present invention to preventfurther fraudulent calls from being made to the terminating ANI.

In accordance with these objectives, one preferred embodiment of thepresent invention provides a method of identifying fraud in atelecommunications system. The method includes receiving data related toa current call placed from an originating ANI to a terminating ANI,where the received data includes the terminating ANI and a billingnumber used to place the call. Billing numbers for prior calls to theterminating ANI, if any, and corresponding indicia of the times of thecalls are retrieved. A determination is made of whether the number ofbilling numbers used for the current and prior calls to the terminatingANI over a prior period of time falling within a time interval satisfiesa threshold. If the threshold is satisfied, a fraud alert is generated.

In general, there are two ways to utilize a “threshold”, namely (1)determine whether the threshold is exceeded or (2) determine whether thethreshold is met or exceeded. Thus, for the purposes of thisapplication, the term “satisfying” a threshold is defined as either ofthese two cases. That is, a threshold is defined as “satisfied” when itis exceeded. A threshold is alternatively defined as “satisfied” when itis met (equaled) or exceeded. Similarly, a period of time is defined as“falling within” a time interval if it is less than the time intervaland a period of time is alternatively defined as “falling within” a timeinterval if it is less than or equal to the time interval.

When the data for the current call is received, a check may also beperformed (for example, in the memory) to determine if there is athreshold number and a time interval corresponding to the particularterminating ANI. If there is, the threshold number and the time intervalare retrieved and used in determining whether the number of billingnumbers used for the current and prior calls to the terminating ANI overa prior period of time falling within the retrieved time intervalsatisfies the retrieved threshold number.

Another preferred embodiment of the invention is also a method ofidentifying fraud in a telecommunications system. The method includesreceiving data related to a current call placed from an originating ANIto a terminating ANI, where the received data includes the terminatingANI and a billing number. The received data is stored, for example, in amemory. The billing numbers and corresponding indicia of times of callsto the terminating ANI are retrieved at an initiating event. (Theinitiating event may be the storage of data related to the current callplaced to the terminating ANI, or the elapse of a period of time.) Adetermination is made of whether the number of billing numbers used forcalls to the terminating ANI over a prior period of time falling withina time interval satisfies a threshold number. If the threshold number issatisfied, a fraud alert is generated.

After the initiating event, a check may also be performed (for example,in the memory) to determine if there is a threshold number and a timeinterval corresponding to the particular terminating ANI. If so, thethreshold number and the time interval are retrieved and used indetermining whether the number of billing numbers used for calls to theterminating ANI over a prior period of time falling within the retrievedtime interval satisfies the retrieved threshold number.

Another embodiment of the present invention is a system for identifyingfraud in a telecommunications system. The system comprises at least oneprocessor, memory and related software. The at least one processorreceives data related to a current call placed to a terminating ANI,where the received data includes at least the terminating ANI and abilling number. The processor retrieves from memory billing numbers forprior calls to the originating ANI, if any, and an indicia of the timesof the calls. The processor also determines whether the number ofbilling numbers used for the current and prior calls to the terminatingANI over a prior period of time falling within a time interval satisfiesa threshold number. If the threshold number is satisfied, a fraud alertis generated.

When the call is received, the processor may also determine whether athreshold number and a time interval corresponding to the particularterminating ANI are stored in the memory. If so, the threshold numberand the time interval are retrieved and used in determining whether thenumber of billing numbers used for the current and prior calls to theterminating ANI over a prior period of time falling within the retrievedtime interval satisfies the retrieved threshold number.

In the cases where a threshold number and a time interval correspondingto a particular terminating ANI are stored in the memory, the thresholdand time interval for the terminating ANI may be a function of othervariables, such as the billing product used for the call, the type oforiginating ANI, the time of day, day of the week, etc. If so, theappropriate threshold number and the time interval are retrieved andused in determining whether the number of billing numbers used for thecurrent and prior calls to the terminating ANI over a prior period oftime falling within the retrieved time interval satisfies the retrievedthreshold number.

Techniques of determining whether the number of billing numbers used forcalls to a terminating ANI over a prior period of time satisfies athreshold and generating a fraud alert if the threshold is satisfiedwill be referred to hereinbelow as fraud detection based on Call AttemptVelocity on a Terminating ANI or number (“CAVT”).

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and advantages of the presentinvention will become more apparent from the following detaileddescription when taken in conjunction with the accompanying drawings inwhich:

FIG. 1 is a block diagram of a telephone system that includes anintelligent services network (ISN);

FIG. 1 a is a block diagram of an alternative telephone system thatincludes an ISN;

FIG. 2 is a block diagram of a preferred embodiment of the presentinvention as supported by the infrastructure of an ISN; and

FIG. 3 is a flow chart of the processing of a preferred embodiment ofthe present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Referring to FIG. 1, a representation of an underlying telephone systemis shown which provides the context for the present invention. A callfrom an originating telephone 10 (also referred to as an originatingautomatic number indicator or originating ANI) is connected to an ISN 40through a first competitive local exchange carrier 20 (CLEC) and a firstbridge switch (B/S) 30. After processing, the ISN 40 routes the call toterminating telephone 70 (also referred to as an terminating automaticnumber indicator or terminating ANI) via a second B/S 50 and a secondCLEC 60.

Depending on where the call originates and terminates, additional oralternative infrastructure may support the connection between theoriginating ANI and the ISN and/or between the terminating ANI and theISN. For example, as shown in FIG. 1 a, if the call is made to aterminating ANI 70 a in a foreign country, the call is routed from theISN 40 a to the terminating ANI 70 a through B/S 50 a, internationalgateway switching system 60 a and the local switching infrastructure 65a of the foreign country. The foreign country infrastructure 65 a can becomprised of a number of regional and local carriers.

An example of fraudulent calling for the system of FIG. 1 would be ahacker at the originating ANI 10 placing multiple calls to a PBX at theterminating ANI 70. The calls may be special service calls through theISN 40 (discussed further below) using a multiplicity of differentbilling numbers. An example of fraudulent calling for the system of FIG.1 a would be a hacker at the originating ANI 10 a placing multiple callsto one or more foreign terminating ANIs 70 a. Again, the calls may bespecial services calls made through the ISN using a multiplicity ofdifferent billing numbers.

The supporting connections for a call that is placed using the ISNplatform are billed to the company that owns and/or operates the ISN(referred to as the “telecommunications company”). Referring back toFIG. 1, the connection charges of CLEC 20, B/S 30, B/S 50 and CLEC 60are the responsibility of the telecommunications company. Similarly, thetelecommunications company is responsible for the connection chargesshown in FIG. 1 a, including the international gateway connection 60 aand the connections 65 a made in the foreign country by foreigncarriers. Thus, the costs of the fraud to the telecommunications companygiven in the above examples may be significant. In addition, if thefraudulent caller is successful in hacking into a PBX, the PBX may beused to place subsequent fraudulent calls.

FIG. 2 represents components that support a preferred embodiment of asystem of the present invention. The components 100 shown in FIG. 2 arepart of a larger ISN platform, such as the ISN platforms 40, 40 arepresented in FIGS. 1 and 1 a. The components 100 are comprised of afraud control center 120 and associated blocking database 122, anautomatic response unit (ARU) 132, and a manual telecommunicationsoperator console (MTOC) 134 that preferably interface via an ethernetrail 138. A special service call is received by the ISN via the ARU 132or the MTOC 134. Thus, for example, a call placed at originating ANI 10of CLEC 20 shown in FIG. 1 is connected from the B/S 30 to the ISN 40via the ARU 132 or the MTOC 134 shown in FIG. 2.

As previously noted, calls that require special services generallyrequire the caller to manually supply a portable billing number (such asa credit card, calling card, pre-paid phone card, supplying a home phonenumber for a third party call, etc.), such as by pressing numbers on apayphone, swiping the magnetic strip of the card through a card reader,or speaking with an operator. Special services of an ISN are typicallyaccessed by a toll free or special access number, such as, for example,MCI WorldCom's (800) 888-8000 access number. As described further below,a special services call received through the ARU 132 or the MTOC 134will also include an identification code (information digit) from theCLEC 20 identifying the type of originating ANI 10. The terminating ANI,of course, is also supplied to the ISN in a special services call, sinceit is the number dialed by the caller.

Fraud control center 120 includes a system 124 that directly supports anembodiment of the present invention. In general, the system 124comprises at least one processor (or computer) 124 a, memory 124 b andprocessing software 124 c. The system may reside anywhere along ethernetrail 138 but is typically located in a fraud control facility, such asfraud control center 120.

System 124 generates fraud alerts based on suspect calling patterns tothe same terminating ANI. Processor 124 a receives data for specialservices calls received via the ARU 132 or MTOC 134. The data receivedincludes the terminating ANI and the billing number. The processor 124 aprocesses the calling data using the software 124 c and, for each call,creates a calling record in the memory 124 b. The calling record isreferenced (or addressed) in the memory 124 b by the terminating ANI andalso includes the billing number and the time of the call.

When a call is placed from the originating ANI using the specialservices platform (i.e., is received via the ARU 132 or MTOC 134), datafor the call is forwarded to the processor 124 a via ethernet rail 138.The prior calling records created and stored in memory 124 b for theterminating ANI are retrieved by the processor 124 a and evaluated,along with the current call, using the software 124 c. If the evaluationindicates that the pattern of calling from the originating ANI isconsistent with fraudulent activity, an alert is generated.

For example, a fraudulent pattern of calling may be suggested by specialservices calls placed to a terminating ANI using ten or more distinctbilling numbers within a one hour interval. If the data for the currentand past calls to the terminating ANI shows that ten or more differentbilling numbers have been used for calls within an hour, an alert isgenerated for the terminating ANI. If not, then a calling record iscreated for the current call and stored in the memory 124 b. (A callingrecord may be created for the current call even if an alert isgenerated.)

In the example described above, the threshold and time interval used togenerate a fraud alert are fixed numbers, namely a threshold of tendifferent billing numbers for calls made to a terminating ANI within anhour. Use of established thresholds and time intervals as defaultparameters will in many cases prove to be useful in generating fraudalerts for many (or perhaps most) terminating ANIs. In general, littleor nothing will be known about the particular terminating ANI beingcalled and there would be no basis to alter the threshold or timeinterval based on the terminating ANI received.

However, there are many terminating ANIs which may normally receive tenor more calls placed using different billing numbers in the course ofone hour. For example, a switchboard (or PBX) of a busy urban hospital,or the schedule and fare information number of a major carrier, mayroutinely get a surge of calls that exceeds these parameters. If defaultparameters are used in generating fraud alerts, these types ofterminating ANIs may therefore create numerous fraud alerts which do notreflect fraudulent calling patterns. The calling data generating a fraudalert may subsequently be analyzed by a fraud analyst, who mayinvestigate and determine that such a calling pattern does not reflectfraudulent calling to the particular terminating ANI. If the defaultparameters continue to be used for the terminating ANI, however, suchfraud alerts will continue to be generated, thus needlessly burdeningthe fraud analyst or other portions of the system.

On the other hand, for certain terminating ANIs, the default thresholdmay be too high. For example, lengthy fraudulent calls are commonly madeto terminating ANIs in foreign countries. Statistics available to orgenerated by the telecommunications company may show, for example, thatspecial services calls to a terminating ANI in a particular city orother calling area of a certain foreign country is likely to befraudulent. Calls to a particular city or region (whether foreign ordomestic) may often be identified by an area code, city code, regionalexchange, etc. of the terminating ANI. Where the fraud level is high,adjustment of the threshold and time interval for, calls to terminatingANIs in that calling region is warranted in order to generate an earlierfraud alert of possible fraudulent calling activity to the terminatingANI(s).

Thus, a database may be compiled based on experience with calls toterminating ANIs. The database may have particular thresholds and/ortime intervals for particular terminating ANIs. Accordingly, memory 124b may also include a look-up table (or other data compilation that maybe stored, retrieved and revised) where thresholds and time intervalsare stored for terminating ANIs. For example, for the hospital PBX notedabove, the telecommunications company may discover that it may be normalto have 15 special services calls within an hour placed to theterminating ANI from different originating ANIs using different billingnumbers. For this terminating ANI, it is therefore desirable to have afraud alert generated using a threshold of 20 different billing numbersover a one hour period. Thus, an entry is created in the look-up tablethat includes the terminating ANI, (for example, 516-555-1313),threshold of 20 and time interval of 1 hour. The entry is referenced(retrievable) in the database by the terminating ANI.

When a call is placed using the special services platform, in additionto retrieving the prior calling records created and stored in memory 124b for the terminating ANI, the processor 124 a also uses the terminatingANI to check the look-up table to see if there is a threshold and timeinterval stored for that terminating ANI. If the terminating ANI isfound, then the corresponding threshold number and time interval areretrieved and used to determine whether a fraud alert is generated forthe current and prior calls to the terminating ANI.

For example, if the current call is to the terminating ANI 516-555-1313given above, processor 124 a will find an entry for the terminating ANIin the look-up table and retrieve the corresponding threshold 20 andtime interval 1 hour from the look-up table. Processor 124 a will alsoretrieve prior calling records created and stored in memory 124 b forthe terminating ANI and evaluate them and the current call using theretrieved threshold and time interval. If the data for the current andpast calls to the terminating ANI shows that twenty or more differentbilling numbers have been used for calls within an hour, an alert isgenerated for the terminating ANI. If not, then a calling record iscreated for the current call and stored in the memory 124 b. (A callingrecord may be created for the current call even if an alert isgenerated.)

In addition, it is possible to store more than one threshold number andtime interval in memory 124 b for a particular terminating ANI. Eachthreshold number and time interval stored for a particular terminatingANI may be correlated to other factors. Such factors may include thetype of originating ANI the current call is made from, the type ofbilling product used for the current call, the time of day and/or theday of the week of the current call, etc.

For example, if the terminating ANI 516-555-1313 used in the exampleabove is a PBX at a busy hospital, it may be found that the peak callinghours may be weekdays between 9:00 a.m. and 6:00 p.m. A threshold numberof 20 and a time interval of 1 hour is desirable for this terminatingANI in this time-frame, as discussed above. Outside of that time frame,i.e., on weekends and weekdays from 6:01 p.m. to 8:59 a.m. when thereare normally a smaller number of special services calls to theterminating ANI, a threshold number of 10 and a time interval of 1 houris desirable. Thus, multiple entries are made in the look-up table inthe memory for the terminating ANI 516-555-1313, and the entries arefurther referenced by day and time intervals. This allows processor 124a to use the time and day of the current call to look-up and retrieve athreshold number and time interval for the terminating ANI that istailored to the time and day of the call.

The threshold and time interval may be adjusted to generate a fraudalert for lesser calling activity directed at a particular terminatingANI. For example, statistics may show that calls to a terminating ANI ina foreign country having country code 31 and city code 20 have a highpercentage of fraud. Thus, for any terminating ANI having country code31 and city code 20, it may therefore be desirable to have a fraud alertgenerated using a threshold of 2 different billing numbers over a onehour period. Thus, an entry is created in the look-up table forterminating ANI “011-31-20-*”, where 011 identifies a foreign call, 31is the country code, 20 is the city code and the asterisk matches anysubsequent numbers in a terminating ANI. (Thus, the reduced thresholdand time interval will be retrieved for any call to a terminating ANI inforeign city 20.) The threshold number 2 and time interval 1 hour isalso stored in the entry.

If the current call is to a terminating ANI in the foreign city, forexample, 011-31-20-5551212, processor 124 a will check the look-up tableto determine if it matches a terminating ANI stored therein. Processor124 a will match the terminating ANI 011-31-20-5551212 with the entry011-31-20-* in the look-up table, since the asterisk denotes anysequence of subsequent numbers. Thus, processor 124 a retrieves thecorresponding threshold 2 and time interval 1 hour from the entry in thelook-up table. Processor 124 a will also retrieve prior calling recordscreated and stored in memory 124 b for the terminating ANI011-31-20-5551212 and evaluate them, along with the current call, usingthe retrieved threshold number 2 and time interval 1 hour. If the datafor the current and past calls to the terminating ANI shows that two ormore different billing numbers have been used for calls within an hour,an alert is generated for the terminating ANI. If not, then a callingrecord is created for the current call and stored in the memory 124 b.(A calling record may be created for the current call even if an alertis generated.)

As described above, more than one threshold number and time interval maybe stored in memory 124 b for a particular terminating ANI. Eachthreshold number and time interval stored for a particular terminatingANI may be correlated to other factors. For calls to a foreignterminating ANI, for example, such factors may include the type oforiginating ANI the current call is made from and the type of billingproduct used for the current call.

For example, for calls to foreign terminating ANIs 011-31-20-* used inthe example above, the threshold number and time interval used togenerate a fraud alert may differ depending on whether the call is madefrom an originating ANI that is a coin operated payphone or from acoinless payphone. Statistics may show that fraud is more prevalent toterminating ANIs in this foreign city for calls that originate from acoin operated payphone (which are typically located in highly accessiblepublic places, such as train stations) than from a coinless payphone(which may be in a less prevalent public area, such as a hotel lobby).Thus, a threshold number of 2 different billing numbers in a one hourtime interval may be appropriate for calls originating at a coinoperated payphone, while a threshold number of 5 different billingnumbers in a one hour interval may be appropriate for calls originatingfrom a coinless payphone.

Thus, multiple entries are made in the look-up table in the memory forthe terminating ANI 011-31-20-*, and the threshold number and timeinterval entries are further referenced by the type of originating ANI.(A call received by an ISN platform will include a “Bell Coreinformation digit” which identifies the type of originating ANI from theCLEC. Thus, a call from an coin operated payphone will includeinformation digit “27”, while a call from a coinless payphone willinclude information digit “7”.) This allows processor 124 a to use theterminating ANI (such as terminating ANI 011-31-20-5551212) and the typeof originating ANI (identified from the information digit) to look-upand retrieve the appropriate threshold number and time interval for thecall. (A default threshold number and time interval may also be storedfor calls to the terminating ANI that originate from other types oforiginating ANIs.)

Similarly, different thresholds and time intervals may be stored for aterminating ANI (or terminating ANIs), the various thresholds and timeintervals referenced by the category or type of billing product used forthe current call. Thus, calls to foreign terminating ANIs 011-31-20-*may be more likely to be fraudulent if placed with a credit card thanwith a calling card (both being categories of billing products), andseparate thresholds and time intervals may thus be stored referenced bycategory of billing products. A particular type of calling card, such asan MCI VNET calling card, may have even less incidence of fraud, soanother threshold and time interval may be stored for the terminatingANI referenced by the “calling card” category and “MCI VNET” type. Adefault threshold number and time interval may also be stored forspecial services calls to the terminating ANI for calls that use othercategories and types of billing products.

FIG. 3 shows a flowchart of general procedures performed by the system124 of FIG. 2 in carrying out embodiments of the invention exemplifiedabove. In step 200, the processor 124 a receives data for a specialservices call currently being routed to a terminating ANI. The dataincludes the terminating ANI and the billing number used for the call.The time of the call is also received or may alternatively be assignedas the time of receipt of data for the current call by the system 124.Additional data may also be received as discussed above, such as theinformation digit of the originating ANI, information related to thetype and category of billing product, etc. At step 202, the processor124 a retrieves calling records (if any) for the terminating ANI frommemory 124 b. Each calling record for the terminating ANI includes atleast the time of a prior call (or, equivalently, elapsed time since thecall) and the billing number used for the prior call.

The processor 124 a checks a look-up table for the terminating ANI atstep 204 and, if the terminating ANI is found, retrieves an appropriatethreshold number and a time interval at step 206. The threshold numberand time interval retrieved may be chosen from a number of thresholdnumbers and time intervals stored for the terminating ANI which arecorrelated to other factors. For example, the threshold number and timeinterval selected for the terminating ANI may depend on the type of theoriginating ANI, or the type and/or category of billing product. If so,processor 124 a uses additional data received in step 200 for thecurrent call, namely, the information digit or the category and/or typeof billing product, to choose the applicable threshold number and timeinterval for the terminating ANI. If, however, the threshold number andtime interval selected for the terminating ANI depends on the time ofday and/or the day of week, then processor 124 a may make the selectionbased on its internal clock and calendar.

If the terminating ANI is not found in the look-up table, a defaultthreshold number and time interval are used, as shown in step 208. Thethreshold number and time interval selected in either step 206 or 208represents the threshold number of different billing numbers used forcalls to the terminating ANI over the time interval.

The billing number for the current call and the billing numbers forprior calls, and the times of those calls are evaluated at step 210 todetermine if the threshold number has been met or exceeded over the timeinterval. Thus, the number of different billing numbers used for thecurrent and prior calls to the terminating ANI are counted for a priorperiod of time equal to or less than the time interval. If the number ofdifferent billing numbers meets or exceeds the threshold, a fraud alertis generated at step 212. A fraud alert initiates fraud preventionprocessing (step 216), described further below.

If the number of different billing numbers does not meet or exceed thethreshold, then a call record for the current call is created (step214), which includes the terminating ANI, the billing number and thetime of the call. A call record may also be created for the current calleven if a fraud alert is generated in step 212, as indicated by thedashed line from step 212 to step 214.

It is noted that other sequences of steps may be used in FIG. 3. Forexample, step 202 may be performed after steps 206 and 208. In addition,a calling record for the current call may be created and stored (shownin step 214) any time after the data is received in step 200.

As noted, if a fraud alert is generated in step 212, fraud preventionprocessing is initiated in step 216. The processing related to fraudprevention may include sending the calling data for the terminating ANIto a fraud analyst for further consideration. The fraud analyst maydetermine whether to block or intercept future calls to the terminatingANI. Alternatively, further special services calls to the terminatingANI may be immediately blocked. Blocking calls to the terminating ANImay be accomplished by storing the terminating ANI in a blockingdatabase, such as blocking database 122 shown in FIG. 2. Before asubsequent special service call received via the ARU 132 or MTOC 134 isconnected, the blocking database 122 is checked to see whether theterminating ANI for the call is included therein. (Blocking database 122is depicted in FIG. 2 as interfacing with fraud control center 120because it may be located in the same physical facility as fraud controlcenter 120. However, the ARU 132 and the MTOC 134 may access theblocking database 122 as if it were connected directly to the ethernetrail 138.) If the terminating ANI is found in the blocking database 122,the call is not connected.

In addition, the billing numbers used to make the current and priorcalls to the terminating ANI may also be blocked either immediately orafter further consideration by a fraud analyst. This may also beaccomplished by storing the billing numbers in the blocking database 122or a similarly configured database. The billing numbers may becategorized in the database according to category and/or type of billingproduct. Before a subsequent special services call received via the ARU132 or MTOC 134 is connected, the blocking database is checked todetermine whether the billing number being used for the call is includedtherein. The check of the database may also use the category and type ofthe billing product to look up the billing number. If the billing numberis found in the database, the call is not connected.

Referring back to FIG. 3, it was noted that, even if a fraud alert isgenerated in step 212, a calling record may be created and stored forthe current call. Such a calling record may be created even where afraud alert is generated because, for example, a fraud analyst may electnot to block the terminating ANI based on the present calling pattern.Thus, the calling record for the current call may be used to evaluatefuture calls to the terminating ANI for potentially fraudulent callingpatterns.

The processing of the present invention need not necessarily be made atthe time a call is received from an originating ANI to a terminatingANI. Calling records for calls may be accumulated and then processed.The processing may occur periodically, such as every ten minutes. Theprocessing of accumulated calling records includes separating orselecting calling records for each terminating ANI. From each group ofrecords corresponding to a terminating ANI, the number of differentbilling numbers used for calls over a time interval are then evaluatedagainst the threshold number and time interval for the terminating ANI(as found in a look-up table, or by using defaults). Fraud alerts arethen generated for each terminating ANI showing calls made with a numberof different billing numbers that met or exceeded the threshold over aperiod of time equal to or less than the time interval.

For processing that was not initiated by a current call, but insteadoccurred periodically, the look-up table may not include differentthreshold numbers and time intervals for the terminating ANI that are afunction of certain data related to a current call, such as type ofbilling product or type of originating ANI. If it does, the processor124 a may consider the last call made to the terminating ANI to be the“current call”.

As noted, processing would occur periodically and such periods would berelatively short. Periods of ten minutes may be acceptable and,generally, the periods would not exceed one or two hours. Such shortperiods provide the up-front processing needed to identify fraudulentpatterns close to the time they are initiated and to avoid long periodsof fraudulent calling without identification and prevention.

In those portions of the Detailed Description where it was elaborated, athreshold was referred to as being “met or exceeded” by the number ofdifferent billing numbers. As noted in the “Summary” section, athreshold may alternatively be defined as satisfied if it is “exceeded”.Thus, in all of the above embodiments, the determination mayalternatively be whether the threshold is exceeded by the number ofdifferent billing numbers. In addition, where specified, the data forcurrent and prior calls was considered for a period of time “less thanor equal to” the time interval. As also noted in the Summary section, aperiod of time may be alternatively defined as falling within a timeinterval if it is less than the time interval. Thus, in all of the aboveembodiments, the current and prior calls that are used in thedetermination may alternatively be for a period of time that is lessthan (but not equal to) the time interval.

While this invention has been described in connection with what ispresently considered to be the most practical and preferred embodiment,it is to be understood that the invention is not limited to thedisclosed embodiment, but, on the contrary, it is intended to covervarious modifications within the spirit and scope of the appendedclaims.

1. A system for identifying fraud in a telecommunications system, thesystem for identifying fraud comprising at least one processor, memoryand related software, the at least one processor receiving data relatedto a current call placed from an originating automatic number indicator(ANI) to a terminating ANI, the received data including at least theterminating ANI and a billing number, the processor retrieving frommemory billing numbers for prior calls to the terminating ANI, if any,and an indicia of the time of the call, and the processor alsodetermining whether the number of billing numbers used for the currentand prior calls to the terminating ANI over a prior period of timefalling within a time interval satisfying a threshold, a fraud alertbeing generated if the threshold is satisfied.
 2. The system as in claim1, wherein the billing numbers and indicia of time for prior calls tothe terminating ANI are included in calling records stored in thememory, each calling record containing data for one prior call to theterminating ANI, the calling record being referenced by terminating ANIand including the billing number used for the call and an indicia of thetime of the call.
 3. The system as in claim 2, wherein a calling recordis created for the current call.
 4. The system as in claim 1, whereinthe threshold number and time interval corresponding to at least oneterminating ANI is included in a look-up table stored in the memory. 5.The system as in claim 4, wherein at least some terminating ANIs in thelook-up table have two or more threshold numbers and time intervalscorresponding thereto, the two or more thresholds and time intervalscorresponding to each such terminating ANI referenced by one or moreadditional factors.
 6. The system as in claim 5, wherein the one or moreadditional factors are selected from the time of day, the day of theweek, the type of originating ANI of the current call, the category ofbilling product used for the current call and the type of billingproduct used for the current call.
 7. The system as in claim 6, whereinthe data received by the processor related to the current call to theterminating ANI includes data corresponding to the one or moreadditional factors, and the processor selects one of the thresholds andtime intervals for the terminating ANI using the received datacorresponding to the one or more additional factors.
 8. The system as inclaim 1, wherein the prior period of time spans from the time of thecurrent call backwards in time equal to the time interval, the processorcounting the number of different billing numbers for the current calland all prior calls to the terminating ANI that fall within the priorperiod of time and comparing the number with the threshold.
 9. Thesystem as in claim 1, wherein data related to the current call isreceived by the at least one processor from components of saidtelecommunications system that receive and process special servicescalls.
 10. A method of identifying fraud in a telecommunications system,the method comprising the steps of a) receiving data related to acurrent call placed from an originating ANI to a terminating ANI, thereceived data including at least the terminating ANI and a billingnumber; b) retrieving billing numbers for prior calls to the terminatingANI, if any, and corresponding indicia of the times of the calls; c)determining whether the number of billing numbers used for the currentand prior calls to the terminating ANI over a prior period of timefalling within a time interval satisfies a threshold number; and d)generating a fraud alert if the threshold number is satisfied.
 11. Themethod as in claim 10, wherein the billing numbers and indicia of timefor prior calls to the terminating ANI are retrieved from stored callingrecords, each calling record containing data for one prior call to theterminating, ANI, the calling record being referenced by the terminatingANI and including the billing number used for the call and an indicia ofthe time of the call.
 12. The method as in claim 11, the methodincluding the additional step of creating a calling record for thecurrent call and storing the calling record, the calling recordincluding the terminating ANI, the billing number and an indicia of thetime of the call, the calling record being referenced in the memory bythe terminating ANI.
 13. The method as in claim 10, including theadditional step of retrieving the threshold number and time interval forthe terminating ANI.
 14. The method as in claim 13, wherein the step ofretrieving the threshold number and time interval for the terminatingANI includes selecting among two or more threshold numbers and timeintervals for the terminating ANI.
 15. The method as in claim 14,wherein one of the two or more threshold numbers and time intervals forthe terminating ANI are selected based upon one or more additionalfactors.
 16. The method as in claim 15, wherein the data relating to theone or more additional factors is received with the data related to thecurrent call.
 17. The method as in claim 10, wherein, the step ofdetermining whether the number of billing numbers used for the currentand prior calls to the terminating ANI over a prior period of timefalling within the time interval satisfies the threshold number includescounting the number of different billing numbers for the current calland all prior calls to the terminating ANI spanning from the time of thecurrent call backwards in time equal to the time interval and comparingthe count of different billing numbers with the threshold number. 18.The method as in claim 10, wherein the generation of a fraud alertinitiates processing related to prevention of fraudulent calling to theterminating ANI.
 19. The method as in claim 10, wherein the threshold issatisfied if it is met or exceeded.
 20. The method as in claim 10,wherein the threshold is satisfied if it is exceeded.
 21. The method asin claim 10, wherein the prior period of time is less than or equal tothe time interval.
 22. The method as in claim 10, wherein the priorperiod of time is less than the time interval.
 23. The method as inclaim 10, wherein the step of generating a fraud alert is followed byfurther processing, including the step of blocking subsequent calls tothe terminating ANI.
 24. The method as in claim 10, wherein the step ofgenerating a fraud alert is followed by further processing, includingthe step of blocking subsequent calls that use the billing numbers usedfor the current and prior calls to the terminating ANI.
 25. A method ofidentifying fraud in a telecommunications system, the method comprisingthe steps of a) receiving data related to a current call placed to aterminating ANI, the received data including the terminating ANI and abilling number; b) storing the received data and an indicia of the timeof the call; c) at an initiating event, retrieving the billing numbersand corresponding indicia of times of calls to the terminating ANI; d)determining whether the number of billing numbers used for calls to theterminating ZNI over a prior period of time falling within a timeinterval satisfies a threshold; and e) generating a fraud alert if thethreshold is satisfied.
 26. The method as in claim 25, wherein theinitiating event is the receipt of data related to the current callplaced to the terminating ANI.
 27. The method as in claim 25, whereinthe initiating event is the elapse of a period of time.